[openstack-dev] [Zun] Containers in privileged mode

João Paulo Sá da Silva joao-sa-silva at alticelabs.com
Tue Jan 2 19:06:34 UTC 2018


Thanks for your answer, Hongbin, it is very appreciated.

The use case is to use Virtualized Network Functions in containers instead of virtual machines. The rational for using containers instead of VMs is better VNF density in resource constrained hosts.
The goal is to have several VNFs (DHCP, FW, etc) running on severely resource constrained Openstack compute node.  But without NET_ADMIN cap I can't even start dnsmasq.

Is it possible to use clear container with zun/openstack?

>From checking gerrit it seems that this point was already address and dropped? Regarding the security concerns I disagree, if users choose to allow such situation they should be allowed.
It is the user responsibility to recognize the dangers and act accordingly.

In Neutron you can go as far as fully disabling  port security, this was implemented again with VNFs in mind.

Kind regards,
João


>Hi Joao,
>
>Right now, it is impossible to create containers with escalated privileged,
>such as setting privileged mode or adding additional caps. This is
>intentional for security reasons. Basically, what Zun currently provides is
>"serverless" containers, which means Zun is not using VMs to isolate
>containers (for people who wanted strong isolation as VMs, they can choose
>secure container runtime such as Clear Container). Therefore, it is
>insecure to give users control of any kind of privilege escalation.
>However, if you want this feature, I would love to learn more about the use
>cases.
>
>Best regards,
>Hongbin
>
>On Tue, Jan 2, 2018 at 10:20 AM, João Paulo Sá da Silva <
>joao-sa-silva at alticelabs.com> wrote:
>
>> Hello!
>>
>> Is it possible to create containers in privileged mode or to add caps as
>> NET_ADMIN?
>>
>>
>>
>> Kind regards,
>>
>> João
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180102/e1ecb71a/attachment.html>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180102/b5929a14/attachment.html>


More information about the OpenStack-dev mailing list